Breaches galore as Cryptome hacked to infect visitors with malware

A hack that caused the information repository to attack its visitors is one of …

A breach that caused Cryptome.org to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.

Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

"It is not yet clear how the attacker got past Network Solutions (our ISP)'s security which has been pretty good," Young wrote in an e-mail to Ars. "A security expert sent a message just minutes ago which included a security scan of Cryptome which indicated the attacker likely knew how to bypass NetSol's security with sophisticated tricks."

The security expert said an exploit of the PHP management system gave attackers highly privileged write access to the Cryptome server's document root. The attack was likely carried out by an automated script that swept large swaths of the Internet for vulnerable Web servers.

If the vulnerability that was exploited resides in the software Network Solutions provides its customers, other websites may be compromised by the same attack, said the security researcher, who asked to be identified as Lifeguard. A spokesman for Network Solutions didn't immediately respond to requests for comment. Network Solutions customers who have recently experienced security breaches are encouraged to contact this reporter.

According to security firm Symantec, the Blackhole Toolkit exploits vulnerabilities in a variety of software packages running on Microsoft's Windows operating system. The PHP code on Cryptome's servers specifically excluded infecting machines using IP addresses from Google, presumably to keep the infection from coming to the attention of the company's antimalware defenses. Indeed, Google's safe browsing diagnostics for Cryptome showed no reports of compromise.

Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government's CIA website and then backed away from the claim.

What does this have to do with anything? Is there any reason to think Anonymous are behind these attacks, or do you have to stick their name in every article to generate pageviews? Back it up or cut it - idle speculation and name-dropping have no place in an Ars article.

Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government's CIA website and then backed away from the claim.

What does this have to do with anything? Is there any reason to think Anonymous are behind these attacks, or do you have to stick their name in every article to generate pageviews? Back it up or cut it - idle speculation and name-dropping have no place in an Ars article.

Yeah that came totally out of left field.

"A new rash of suicide bombings prompted panic in Iraq today. A car bomb detonated outside a mosque, killing 86 and wounding at least 300. Leonard Wilkins of Chicago cannot find his pet cat Tiffy, and thinks his neighbor's dog Zeus, a known cat killer, may be responsible."

What user agent vulnerability or vulnerabilities were exploited to distribute the final malware? Do they simply serve an EXE instead of the home page?

Well because it was a trusted site, even with SSL (no certificate issues) if the site asked to install something - "In order to ... please run this file..." Most users would click OK and run it - everything appears legit...

Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government's CIA website and then backed away from the claim.

What does this have to do with anything? Is there any reason to think Anonymous are behind these attacks, or do you have to stick their name in every article to generate pageviews? Back it up or cut it - idle speculation and name-dropping have no place in an Ars article.

I agree, this author should be reminded that tactless entries to generate speculation or other agendas should be left at the door.

John has accused Julian Assange of CIA-ties. The only problem is that "John" himself has all of the same connections he accused Julian of having, in addition to those with blowhard/agent Alex Jones (with whom Julian hasn't associated for reasons of taste).

Step 1 Check inputs and use prepared statements on all SQL reads & writes.Step 2 Store passwords as hashes (preferably Whirlpool) with salts.Step 3 Store other sensitive info (Credit Cards, etc) in an encrypted state (preferably AES), or not at all.Step 4 Keep OS and webserver software up to date.Step 5 To avoid FTP and SSH passwords being keylogged off the client, companies should really not let sysadmins remote in from their own PCs. All access to the server should be from dedicated computers with very limited internet access so they can't get rooted.Step 6 ?

Not to downplay the potential severity or concern of the article at hand, but:From the homepage's article description:

Quote:

Other victims include Microsoft, Dutch ISP KPN, Ticketmaster

From the article:

Quote:

Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Microsoft and Microsoft Store in India..... that's a wee bit of a difference don't you think?

Thankfully I saw the article earlier on that, and I know the "omg microsoft hacked" is a great eyeball clicker (I can be considered a victim), but it comes across as pretty bad sensationalizing imo ars

The title also lead me to believe that there was some sort of causality or link between the attacks. Had to read through twice to make sure they were separate. *edit* looked back at the synopsis and realized it was again the source of confusion. Technically accurate, but still seems to imply the incidents are connected in my opinion */edit*

How to profit:Step 5 To avoid FTP and SSH passwords being keylogged off the client, companies should really not let sysadmins remote in from their own PCs. All access to the server should be from dedicated computers with very limited internet access so they can't get rooted.

Look I am sure you put in some time on this and I am not saying that it's not newsworthy. It just feels like something I would read in the Enquirer and not Ars. Give me the old CPU Praxis articles and leave the fluff on MSN please.

It's so nice that these freelance pen testers give away their time and talent! Otherwise, Ticketmaster, et al would just happily hum along thinking, wrongly, that their websites were secure!

Sort of like; It's so nice that these freelance burglars give away their time and talent! Otherwise, some homeowner, et al would just happily hum along thinking, wrongly, that their homes were secure.

There is no excuse.

So -- what are you accusing the subjects of the article of burgling? I know, I know, next you'll modify your righteous ire to say that trespass is also a crime ...

I'm accusing them of being moronic criminals, but the analogy was correct.

righteous ire ?

LoL judging from your reply I guess you don't understand the meaning of ironic either. I see you also don't understand what an analogy is.

Oh, by the way, there is such a thing as criminal tresspass which is a crime. Generally; A person is guilty of criminal trespass if he knowingly enters or remains unlawfully in a dwelling or premises, or if he knowingly enters or remains unlawfully in a building or upon real property which is fenced or enclosed in a manner designed to exclude intruders. A person commits criminal trespass who, knowing he does not have the owner’s effective consent to do so, enters or remains on property, or a portion thereof. Laws and specifications vary from state to state but thats the general definition.

Maybe I could have used crimnal tresspass as an analogy too. sounds pretty damn similar, but oh wait - this is the internet so that makes it ok to commit a crime then, I guess thats what your thinking, that its OK to commit a crime, ok to enter someone elses 'property' (a server) and deface it and steal from it, I guess you think thats an OK thing to do then huh? If thats OK then by golly you should have no complaint at all if someone breaks into your property and defaces it and steals from it, but i'll bet you will say thats different.

Oh, by the way, hacking someone elses system is a crime too. Its called computer intrusion (at a minimum),. but thats OK, after all its the internet and you think its not a crime so we are all saved now.

Last Thursday, two drunk-driving hit and run accidents occured in my city. One man was killed and another wounded. A self admitted member of the hacker group, Anonymous, was once arrested for drunk driving, but acquitted.

In other news, a woman allegedly murdered her husband in a crime of passion after she was caught cheating on him with his best friend. The woman was taken into custody late last Thursday and is being held without bond. Trial is set for last Thursday. A woman from the hacker group, Anonymous, claimed to have allegedly murdered her husband last Thursday as well, but later denied the claim and said, quote, "I did it for the lulz."

I must personally and sincerely thank to anyone involved with this one; especially since corporate monopoly TicketMaster was effected. Here in the united states; a majority of TicketMaster "operations" are out of (nearby) Charleston, West Virginia - of all places. There is next to zero security of any kind at the facility - especialy relating to any computer security

"It is not yet clear how the attacker got past Network Solutions (our ISP)'s security which has been pretty good," Young wrote in an e-mail to Ars.

In my experience, they (and many other hosting companies) provide unpatched and poorly configured software and then blame you for not updating it yourself. Not that they usually provide any easy way to do this, or make you aware of the age and condition of the software.